[Dnssec-trigger] [dns-operations] unbound-bind chain causing validation failures on synthesized records

Ondřej Caletka ondrej at caletka.cz
Mon Jul 16 08:33:59 UTC 2012


Hi,

Dne 10.7.2012 01:49, Paul Wouters napsal(a):
> I'm CC:ing the dnssec-trigger list, as it might need to come up with a
> new probe to detect this.

I would also vote for this kind of detection. I already ran into the
same issue when testing DNSSEC-trigger. The chaining problem seems fixed
in BIND 9.9.0 and newer. But since there are still so many BINDs 9.7
running out there, it is not safe to forward your unbound to the
DHCP-assigned DNS server. And current DNSSEC-trigger does not find out
that something is wrong.

I created some testing page to test your ability to reach synthetised
names. Feel free to try it:
http://0skar.cz/dns/en/

Cheers,
Ondřej Caletka



More information about the dnssec-trigger mailing list